Cloud security is the application of cybersecurity practices and programs to the protection of data and applications on public and private cloud platforms. Cloud security helps organizations manage both traditional cybersecurity issues and new challenges related to cloud environments.
For the purposes of this page, we will focus on considerations for securing public cloud platforms, since the challenges of private cloud more closely align to traditional challenges in cybersecurity.
Cloud platform providers are responsible for safeguarding their physical infrastructure and the basic computing, network, storage, and network services they provide. However, their customers retain most or all of the responsibility for protecting their applications, monitoring activities, and ensuring that security tools are correctly deployed and configured. This division of responsibility is known as the Shared Responsibility Model. That means customers cope with:
Cloud security allows organizations to take advantage of the flexibility, scalability, openness, and reduced operating costs of today’s cloud platforms without endangering confidential data, regulatory compliance, or continuous business operations.
The benefits of cloud security include being able to:
Amazon Web Services (AWS) offers a feature-rich environment for hosting and managing workloads in the cloud. What are some of the ways that organizations can strengthen cloud security for workloads hosted on AWS?
Security teams can use a vulnerability management solution to discover and assess EC2 instances and scan them for vulnerabilities, misconfigurations, and policy violations.
A dynamic application security testing (DAST) solution can test web apps to discover vulnerabilities in the OWASP Top Ten and other attacks and potential violations of PCI DSS and other regulations. When a DAST solution is integrated with DevOps tools like Jenkins, security testing can be triggered at specified milestones in the development process to ensure that vulnerabilities and violations are detected and fixed before code is put into production.
To detect indicators of attacks and data breaches, a SIEM solution can be integrated with the management and security services provided by Amazon. This includes access to logs created by AWS CloudTrails and CloudWatch, as well as services like Virtual Private Cloud (VPC) flow logs, and Amazon Route 53 DNS logs.
A SIEM solution designed to work with cloud platforms can enrich this log data with additional context from other sources (including endpoints, on-premises systems, and other cloud platforms), flag indicators of compromise, and use advanced security analytics to detect attacks early and remediate quickly.
Security alerts from AWS GuardDuty and other AWS services can be fed directly to a SIEM, allowing the enterprise security team to quickly investigate and respond.
Microsoft Azure is a powerful, flexible, scalable platform for hosting workloads in the cloud. How can organizations enhance security for workloads running on Azure?
A vulnerability management solution can use Azure Discovery Connection to discover and scan virtual machines and other assets as soon as they are spun up in an Azure environment. The scanning can uncover vulnerabilities, misconfigurations, policy violations, and other security risks. It may be possible to import Azure tags and use them to organize assets into dynamic groups that can be assessed and reported on selectively.
A DAST solution can be integrated with Azure DevOps Pipelines, allowing it to automatically launch scans for vulnerabilities at each stage in Continuous Integration and Continuous Deployment (CI/CD)workflows. This helps enterprises eliminate vulnerabilities from web applications early in the development process, when they are easiest to fix.
A SIEM solution can work with Azure Event Hubs, which aggregate cloud logs from important Azure services such as Azure Active Directory, Azure Monitor, the Azure Resource Manager (ARM), the Azure Security Center, and Office365. The SIEM can obtain log data from Azure Event Hubs in real time, combine it log data with information from endpoints, networks, on-premises data centers, and other cloud platforms, and perform analyses that uncover phishing attacks, active malware, the use of compromised credentials, lateral movement by attackers, and other evidence of attacks.
The Azure Security Center also generates alerts, but lacks the data enrichment, analysis, and workflow features of a full SIEM. However, security teams can arrange to send Security Center alerts directly to a SIEM solution to take advantage of those advanced capabilities.
Cloud security is not just about providing security for separate cloud platforms independently. Rather, it is a matter of capturing, correlating, analyzing, and acting on all the security data generated by the organization and its cloud service providers.
With today’s microservice-based apps and hybrid and multi-cloud architectures, applications can be spread across several cloud platforms and on-premises data centers. Advanced attacks often start with endpoints or web apps and then move across multiple computing environments. Attacks against one cloud platform are often followed by the same type of attack against other cloud platforms.